Author: DarkOwl Content Team

In response to the worldwide phenomena that is Netflix’s wildly successful Tiger King docu-series, many viewers now understandably have questions about where and how the sale of exotic animals takes place. That is, other than in back-alley handshakes between Joe Exotic and Doc Antle. Having observed sales of exotic animals on the darknet in the past, we decided put together this briefing on how darknet vendors market and sell animals and animal parts in underground markets.

We were also interested to see if there has been an uptick in this type of listing, or an uptick in the demand for these types of purchases as a response to the Netflix series. The conclusion we came to is both good and bad – depending on your stance on exotic wildlife and animal sales. From what we can tell, while there hasn’t been a noticeable surge in the actual exchange of wild animals (or animal goods such as ivory), there is still a thriving marketplace that shows no sign of slowing.

Read on to see some real-life vendor listings on the darknet, including advertisements for the sale of Black Cougar cubs, Jaguar cubs, baby Gorillas, and many more. Note: DarkOwl does not endorse nor support these vendors, sales, or listings in any way. DarkOwl has historically partnered with organizations such as the Global Emancipation Network and Kruger Park to eradicate human and animal exploitation.

Lions, Tigers, and Bears, Oh My

Long before Netflix’s Tiger King became one of the most popular series on television, DarkOwl analysts reaffirmed the existence of an elaborate black market on the darknet driven by the exotic wildlife and animal poaching industry. The following findings from DarkOwl Vision introduce some of the darknet’s leading vendors in the darknet wildlife trade community, along with their sources.

According to a 2017 report published by INTERPOL, the darknet, specifically Tor anonymous network, has been a source for illegal wildlife trade since 2015, likely even earlier as inferred by some open source blogs discussing animal endangerment. Using DarkOwl Vision, queries including exotic wildlife market keywords quickly revealed a number of interesting results across darknet markets and forums. One vendor in particular, “ivoryking” (a.k.a africanivoryking) has the largest darknet presence in the database, with over 150 documents in DarkOwl Vision advertising African ivory and exotic pets including lion and cheetah cubs, Nile crocodiles, leopards, and baby gorillas across multiple authenticated hidden services.

Many other offers are less commercialized and contain something akin to a local classified advertisement for the exotic animals trade as the user, “busuloveline” posted on the deep web offering foxes, cheetahs, and tigers. Another thread, posted late last year on an Italian darknet forum, listed a number of different types of “exotic pets” for sale and included a Surface web gmail account for contact. The disturbing part of this listing was that not only “dog meat” was included, but the advertiser also differentiated the items available from a “Bear – Complete” and “Bear paws.” Neither listing included prices for the animals.

During the summer of 2019, on The Majestic Garden (TMG) forum, a member known by the moniker “SmallFryHoolagin” initiated a lengthy discussion with an offer for exotic pets, suggesting this is a new business trade they were interested in starting. In their post, SmallFryHoolagin stated that they would only offer to sell to the TMG community and was looking for animal recommendations.

Responses included everything from “is this a joke?” to the desire for exotic serval cats and Komodo dragons. Many replies alluded to keen interest in toads (e.g. bufo alavarius species) that are often exploited for their hallucinatory effects from the 5-MeO-DMT molecule on their skin.

The popular thread garnered over 5,000 views in the forum and the comments are insightful regarding trends in the market demand on the darknet.

Other darknet exotic animal enthusiasts merely discuss the implications of trying to sell these types of items without getting arrested, like SmallFryHoolagin, sussing out whether or not the industry is profitable and open for business. This type of data could be used as an investigatory thread for future exotic animal trading on the darknet.

In at least one instance, Fossil Realm has publicly stated that their darknet marketplace listings provided more than 60% in profit, and that all of these transactions were done using Bitcoin (BTC). (pictured below)

Another darknet Rhino horn vendor claims they source their products from South Africa and are attempting to create a sustainable market by working with the breeder to allow for horn regrowth between harvesting sessions.

Exotic animals sourced around the Canadian border

Based on our research, Canada appears to be a popular source for animal goods including, exotic tusks. For example, one darknet vendor – who recently advertised their trade operation on the controversial darknet market Open Bazaar – stated that their products ship from Alberta (pictured below).

Another deep web classified forum for exotic animals, Prety Exotics (pictured right and above) modeled a marketing approach reminiscent of Fossil Realms’ and included their surface web domain and shopfront in their darknet listing. At the time of publication, Prety Exotics lists their company location as being in Maplewood, Minnesota, which is on the Canadian border.

Despite international law enforcement efforts to track down and stop the trafficking of exotic and endangered species, the darknet wildlife trade industry persists, leveraging the anonymity of the network. Meanwhile, many poachers have shifted to trading these animals openly on platforms like eBay and Facebook.

DarkOwl will continue to monitor this and similar topics of interest to our clients. Stay tuned for future content from our analysts and darknet researchers.

This is a continuation of our previous discussion (linked below) about how the global pandemic has created an incredible surge in COVID-19 related scams on the dark web. DarkOwl analysts have been tracking the developments in DarkOwl Vision and have consolidated a round-up of some interesting, concerning, and, in some cases, comfortingly human findings.

See Part 1 of our COVID scam coverage here

A COVID-19 Vaccine

The most recent pandemic related scam to surface on the dark web is a hidden service dedicated to the COVID-19 vaccine. According to a new Tor hidden service, appearing on the dark web the week of the 18th of March, Technology Minister Ofir Akunis confirmed Israeli scientists had developed the first vaccine for the novel coronavirus that was available to ship Worldwide via DHL. 1 packet supposedly includes 10 20ml vials of the COVID-19 vaccine for only $10 USD, payable by Bitcoin.

This is not the first “Israeli” based antidote offered on the dark web. DarkOwl Vision captured an advertisement posted by darknet user, buddrugtrade, back on March 1, 2020. The post suggesting that MIGAL, a research institute in Galilee, Israel, had created the vaccine against a strain of the coronavirus that they had available to sell. They also included N95 Masks on the same classified.

A similar offer for the vaccine appeared as recently as the end of March with a scammer offering vials of the vaccine for $115 USD. The advertisement suggests the owner only has 5 vials available to sell with hopefully more in the future.

Another scammer has a higher price in mind for the vaccine. On 29 March 2020, multiple pastes, titled, “COVID-19 TEST WAS SUCCESSFUL,” were observed around the dark web consisting of an offer for 10 vaccines for $100K in BTC. “Now is coming the real one” the offers reads, as if to suggest the previous offers were not effective or legitimate.

Multiple Offers for COVID-19 Blood Samples

DarkOwl continues to witness numerous scammers offering samples of the virus via blood samples and saliva. The most recent scammer’s listing, at 12:56 UTC, 31 March 2020, attempted to imbue legitimacy into their listing, stating that they were a “laboratory doctor in Spanish public health” who successfully obtained “24 blood samples and infected sputum of the new COVID-19.” This scammer offered 24 samples for $100 USD (less than $5 per sample) and concluded their classified with even more additional bioterrorism-related material: “I also have 10 liters of morphine and 13 vials of HIV-infected blood in my possession.”

Another advertisement, posted 10 days earlier, stated the seller’s father was infected with COVID-19 and while at the hospital he managed to collect one syringe filled with blood that he inserted into 10 bats. The offering price is only $32 USD for the sample; a minimal payment is required to answer any questions.

This price is considerably cheaper than the $1,000 USD offer for a blood sample and saliva observed on a darknet market in early March, but not as ominous or anarchy-inducing as an offer for the live virus by one known as drdeath41, “Great for the coworker you don’t like. Or spread it in the ghetto if you’re like that or maybe let it loose at the country club.” – Source DarkOwl Vision M5D: d87605d2f17f877991b35f8307de89a7

Offers for Test Kits and Thermometers

The lack of availability of COVID-19 test kits and shortage of ancillary personal protective equipment (PPE) and support equipment has one scammer offering test kits, infrared thermometers and masks. The advertisement did not include Bitcoin address or price, but provided a Texas, USA based Whatsapp for “Serious Inquiries Only”. Using DarkOwl Vision to pivot on the contact information, the phone number is also affiliated with numerous other offers across the dark web for drugs with the Surface web shop, worldglobalpharmacy.com and counterfeit items under the Telegram id: @drHades.

URL Redirects to Abuse

DarkOwl analysts reviewed various posts to forums and darknet paste sites to uncover many of the “Coronavirus” content simply redirects the reader to a possible-malware laden URL or prompt to submit a cryptocurrency payment in exchange for information.

This has become such an issue that many domain name service (DNS) providers have turned to denying domain registrations containing the words, “covid” or “corona” to combat the growing abuse.

Can a Darknet Pure Frequency Kill COVID-19?

On the 3rd of April, 2020 another unexpected advertised “cure” for the coronavirus appeared on the dark web. An anonymous user posted a link to a MP3 file in the paste titled, “Pure Frequency to Kill corona virus” along with a suggestion to listen to the frequency 3 to 6 times a day for maximum results.

Masks Are Still Readily Available

As we mentioned in our previous report, all types of masks are for sale on the dark web, including the N95 respirator type style in high demand. A Tor hidden service using “corona” in the V2 URL has “Aura 3M & Farstar medial N95 face Masks” available in packs of 10 for 80 EUROs.

DarkOwl Vision successfully captured a member of The Cyber Army Telegram group offering a N95 mask with certified expiry date on March 16, 2020.

Another clever advert submitted by “Tequila_Wolf,” redirects the reader to a legitimate external link referencing a 3D printing center’s website. The website, CD3D offers designs for 3D printing protective face shields, masks for a noninvasive ventilator, and hands-free door openers.

Using DarkOwl Vision’s history, Tequila_Wolf has a remarkable dark web presence (mentioned in 76K pages), consisting of shared news articles and geo-political commentary, much of which is COVID-19 specific.

Criminals Discuss Benefits of COVID-19

Dark web user, Loserdub, submitted an interesting perspective of the COVID-19 crisis commenting in an “illegalism” channel on popular darknet forum, Raddle, that they had found police presence minimal and shoplifting easier than ever.

Another user on the forum added they use a medical face mask to conceal their identity.

Anti-Malarial Drugs Now Available

Since US President, Donald Trump suggested anti-malarial drugs such as chloroquine and hydroxychloroquine may have potential use in fighting COVID- 19, scammers have also started offering these drugs for sale on the darknet. The same scammers offering virus test kits under the telegram moniker, @drhades, shares the same phone number as listed in the advertisement for chloroquine, with telegram identification: @oraclez. This is further evidence of an elaborate scamming network on the darknet looking to profit from the COVID-19 crisis.

Quantifying Potential Increase in Darknet Usage Due to COVID-19

DarkOwl analysts were asked by a third party to review potential quantitative approaches to trends in darknet use due to COVID-19 and associated global government-mandated shelter-in-place orders. Hypothesis is that with more of society confined to their homes there would be an increase in darkweb drug market use and purchases. Some darknet drug forums supported this theory with new users asking how to purchase drugs from markets and some forums experiencing what could have been interpreted as a “surge” in usage.

One such forum that has had a historical presence on the darknet is Darknet Market Avengers (DMA).

Another popular darknet forum, Dread, also suggested that Markets were experiencing a surge in usage with a thread posted by dread Mod, /u/DrHorrible, at the first of April. The moderator’s post also suggested that there were an increase in new market announcements for many markets that weren’t even online yet. After carefully reviewing market data in DarkOwl Vision, analysts determined that the markets only mad Vendor profiles public and not necessarily the users.

In many cases, even the market vendor profiles were encrypted and not easily captured by the engine autonomously. This prompted a review of forum data to see if there was any empirical evidence to support the theory of increased darknet use. This prompted a side-effort to collect hundreds of thousands of user registrations across many darknet drug-specific forums to see an exponential increase in registrations existed.

Unfortunately, the data captured from Darknet Market Avengers exhibited trends similar to the registrations recorded at Envoy, another drug-specific darknet forum. DarkOwl observed an average daily number of registrations in the last three months of about 225 new users. These numbers are consistent with the forum’s registration rate in 2019 and 2017. The forum also experienced a period of DDoS attacks in the first two weeks of October in 2019 and the first week of February in 2020 along with many other markets and forums on Tor.

These drops in registrations are evident visually as demonstrated by the monthly and weekly comparisons in the bar chart below. Unfortunately, DarkOwl did not observe data to support any assumption that darknet usage had increased in recent months, and if anything, merely confirms the darknet is conducting business as usually during the COVID-19 pandemic.

We will continue to watch as trends emerge and report back here.

Viruses on the darknet are nothing new. You can easily find vendors selling Bots, Password Crackers, Rootkits, Adware, Backdoor Access, Keyloggers, or any other form of Malware, Toolkits and Viruses (MTV) across a wide swath of forums and marketplaces. So, when you see the darknet exploding with discussions of a virus, one might not jump immediately to “infectious disease.”

However, the darknet is not all too far removed from mainstream society to ignore the pandemic we find ourselves facing. We’ve recently observed the emergence of coronavirus-related products, discussions, scams, and general hysteria across Tor, IRC, I2P, Telegram, and the like. Here are some examples of COVID-19 related ongoings amidst the recent outbreak.

“I sell my infected blood and saliva”

Thus far, we have come across at least one individual advertising the sale of live COVID-19. For $1,000, this enthusiastic vendor will allegedly ship you a biohazardous weapon in the form of their COVID-19 infected bodily fluids. Yikes. The only good news about this situation is that it is most certainly a scam.

Coronavirus vaccinations

Certain marketplaces and vendors are also claiming to have access to a vaccination for COVID-19. In the example below, a listing dated as having been posted last Saturday shows a vendor on Piazza (a darknet marketplace) offering to sell coronavirus vaccines AND antidotes to “serious buyers.”

Masks and hand-sanitizer

As eBay and Amazon conduct great efforts to scale-back sales of health and wellness products due to price gouging and fears of counterfeiting, the darknet is seeing a rise in listings for products in this category – including CDC-approved face masks.

Pricing for these masks has ranged considerably from what we’ve seen. The vendor in the screenshot below is selling a single mask for $342.00 (which was actually listed as at half-off its original price of $684.00 due to a promotion), while the vendor in the image above is selling 10 – 12 packs for around 30$.

There are also several listings for “stolen” masks. (It’s worth noting that this vendor also claims to have “african crafts and talismans with powers” for sale, and claims to be able to “blackmail anyone to do anything” for a price…so, probably not the most legit listing.)

Hand sanitizer has not appeared in the same measure, but given the amount of homemade recipes circulating the surface net, we imagine it is only a matter of time. We have found at least one listing for hand sanitizer, posted on Tor today (3/12/20).

Coronavirus themed forums, discussions and channels

Overall, it would appear that the darknet is reacting fairly similarly to the rest of the internet. There is a palpable amount of fear, uncertainty, panic….and those willing to capitalize on it.

Take this individual, for example, who is using the opportunity to tout his marijuana pills as a preventative step towards contracting the virus (pictured below).

With the extent of questions, ideas and conspiracy theories to be discussed, it is not surprise that various COVID-19 specific darknet forums have emerged as hubs for the community, including a dedicated subdread.

There are now also several Chinese coronavirus Telegram channels. While some seem to be just for general discussion, others appear to be tailored towards those under quarantine.

Considering that the Chinese government has reportedly been censoring terms related to COVID-19 on a WeChat, a popular chat app, it makes sense that Telegram has filled the gap to become a resource for open discussion about the COVID-19 pandemic.

Essentially, when it comes down it, what we’re seeing the most of, are people simply being human and wanting to talk about what’s going on.

What we’re watching for

As this global crisis continues to unfold, we’ll be keeping an eye on the darknet to see how the various severe social and economic measures being taken around the world to mitigate the spread of this virus, and to produce medical resources including testing kits and a vaccine, affect the darknet markets.

Will buyers continue to purchase items from marketplaces, without being sure of their country of origin? Will a potential scarcity in medical devices due to limited resources slow the production of the home-cooked drugs that most of these marketplaces are known for? We’re likely soon to find out, so be sure to check back for updates.

Denver, CO – February 14, 2020 – DarkOwl LLC, a Denver-based darknet data provider, is proud to announce the roll-out of our new Vision User Interface (UI). The DarkOwl Vision platform continues to automatically, continuously, and anonymously collect, index, and rank darknet, deep web, and high-risk surface net data.

DarkOwl Director of Product, Sarah Prime noted, “We have many initiatives planned for 2020, and this is just the beginning; this new design makes it easier and more efficient to find threats and compromised data on the darknet. We’re excited to continue adding features to better serve our customers.”

Vision’s new UI improves simplicity of use and allows for more intuitive navigation of our darknet collection. Aligning with modern design principles, the enhanced UI also allows for improved monitoring by making it simpler to automate searches, one of our most heavily used features. By making other improvements such as allowing users to access all of their data from the first page and streamlining commonly used search tools such as Filters, our new UI makes our data more accessible and actionable than ever.

“I am very proud of our product and development teams for the work they have put in on this new release. Our new UI is even more intuitive, faster, and will provide a range of new tools to parse the larger amount of data we now collect and index from the dark net. This is a big step for DarkOwl’s customers.” said Mark Turnage, CEO of DarkOwl.

Media Contact: [email protected]

About DarkOwl DarkOwl was founded in 2016 with the mission of collecting the broadest dataset of darknet content available in the cyberdefense industry and making that data both accessible and valuable to its clients. By empowering its customers to have eyes on the darknet, DarkOwl enables organizations to fully understand their security posture, detect potential breaches, mitigate them quickly, and investigate even the furthest and most obscure reaches of the internet. .

An introductory overview of Nation-State Actors on the dark web

One defining characteristic of the dark web is its association with criminal activity. In general, it is known as a haven for drug and gun dealers, hackers, pornographers, scam artists and other criminals. But, this stereotype may at times be oversimplified. While there are some objectively clear cut parameters of criminality, there also is a grey area comprised of politically motivated operatives who may or may not be committing crimes as commonly defined, but are nevertheless acting to influence and further an agenda of their own making. These groups, including Nation-State Actors – state-sponsored hackers with a cyber warfare mission – are worth examining in their own right.

Why Nation-States turn to the dark web

The dark web provides an anonymous environment in which anyone can operate.  Of importance and relevance to Nation-States, a number of key objectives can be carried out under this cloak of anonymity. Nation-State Cyber Actors will utilize the dark web to conduct intelligence collection and source development, government and corporate espionage, exploit development and testing, disinformation operations for geopolitical influence, infrastructure disruption, and financial gain.

• Intelligence and Espionage — The early beginnings of cyber-based information operations were conducted by the US government’s National Security Agency (NSA) and China’s People’s Liberation Army (PLA). While the NSA used information operations for covert intelligence collection from foreign adversaries, China is well known for its extensive espionage and intellectual property theft activities with much success. This includes surveillance of its own citizens and their use of the dark web to attempt to circumvent state controls.

• Infrastructure Disruption — Nation-State-funded cyber campaigns against other Nation-States has become wide-spread, principally targeting networks containing sensitive government or corporate information and strategic plans. In late 2015, Russia demonstrated how kinetic attacks conducted against critical infrastructure (e.g., telecommunications, utilities, etc.) and information outlets could cripple a Nation-State, with hacks against Ukraine during on-going conflicts over Crimea. Additional cyber-based attempts to infiltrate key US utilities infrastructure has been detected and reported by the US Department of Homeland Security and multiple cybersecurity researchers.

• Activism and Propaganda — Whether it is religious differences in the Middle East or ideological differences in the South China Sea, political activism and propaganda have been an effective weapon of Nation-States for decades. Given society’s shift to persistent digital communications, cyber has become a preferred medium for this type of activity. Nation-States, both large and small, have used cyber activity to do everything from promoting their agendas, to propping up proxy states both in the dark web and across social media platforms.

• Exploit Acquisition and Development – Many blackhat exploits are discussed in dark web forums and encrypted chats, as frequently observed on DarkOwl Vision. System vulnerabilities are detailed and shared for all types of critical operating systems and unix distributions. The dark web provides a valuable resource for researching and testing source code anonymously.

• Profitability – Countries facing extreme US and UN economic sanctions are turning to the dark web for financial gain. In recent years, North Korea has been successful in launching nation-wide banking system hacks across east Asia.

What Nation-State Actors are significant in the dark web

Over the past several years, DarkOwl researchers have noted that Nation-States are increasingly using the dark web as an information-based battlefield for a variety of key intelligence and cyber military campaigns. In the era of digital information operations, the United States, Russia and China are the primary Nation-State actors discussed in mass media and open source reporting. While it is true the United States, Russia and China still clearly lead in cyber-focused financial resources and manpower, there has been a significant rise of less well known Nation-States due to the release of advanced exploits leaked in recent years and available reverse engineering.

Analysis: Estimating the most powerful Nation-State Actors on the dark web (by country)

Background on global cyber warfare climate:

Modern cyber warfare has a much older pedigree than one would suspect originating from influence warfare and propaganda campaigns during WW1. Information Operations and Influence Warfare is a concept used widely since the world wars where Americans and the British effectively used propaganda to influence attitudes around the world. Influence warfare has been used ever since both covertly and overtly to influence geo-political events and populations. A most recent example is Russia’s troll farm setup by the Internet Research Agency to influence US citizens during the 2016 Presidential election. Information Operations in the digital sphere has been well-formulated and established by the US government in military field manuals and standard operating procedures.

The making of a cyber superpower: Money, Manpower, Skill and Influence

DarkOwl has undertaken an estimation of the relative power of Nation-States in the darknet, along the axis defined above. Of the four variables used by our analysts to determine the extent of a Nation-State’s cyber power — Money, International Influence, Manpower and Skill — the US, Russia and China lead in all four categories. All three countries have significant capital at their disposal, as well as the academic infrastructure backing cyber related research and a formidable presence on the economic world stage.

Evaluating an additional 16 key Nation-States against these same four variables provides insight into their presence on the dark web and preferential use of cyber as a weapon. However, the release of cyber tools previously belonging exclusively to the NSA and the CIA have offered formerly less-powerful nations the ability to reframe themselves as power players and gain influence that was previously unattainable to them.

NOTE: a review of all the countries individually can be found at the end of this post in the Annex section.

A changing landscape: A look at the new tools that Nation-States are using on the dark web

Shadow Brokers & the release of Vault 7/8

In the summer of 2016, the mysterious hacking group Shadow Brokers began releasing multiple sets of “ops disks” (toolkits) used by the US National Security Agency that they had nefariously collected using persistent access since 2013. The unprecedented data gave insight into the inner workings of the most sophisticated hacking organization in the world, NSA’s Tailored Access Operations (TAO). The disks included UNITEDRAKE’s “fully extensible remote collection system” also mentioned in data released by Edward Snowden, infamous NSA whistleblower still in exile in Russia. Pronounced “United Rake,” this customizable malware supports espionage and mass surveillance with such abilities as capturing IP camera and microphone output, log keyboard input, access external drive data. This toolset also provides the unique capability to disguise the origin of the attack, effectively projecting attribution onto another country or hacking group.

Wikileaks followed shortly thereafter with releases of CIA’s infamous Vault 7 and 8, which included one of the largest collection of confidential documents to ever slip out of the CIA. The Vault 7 release discussed the Remote Device Branch’s project UMBRAGE group sophisticated false flag operations as well Weeping Angel, where IoT devices, such as smart televisions are exploited for use as spyware.

The most notable leak from the CIA Vault 8 was HIVE, a multi-platform CIA malware suite with its associated control software. The project provides hidden customizable “implants” for Windows, MikroTik (used in internet routers), Sun Solaris, and Linux platforms. HIVE also included a comprehensive Listening Post (LP) and Command and Control (C2) infrastructure to communicate with these implants that have been extensively studied and now in the arsenal of various international hacking groups of all skill levels ranging from amateur script kiddies to advanced cyber Nation-State Actors.

How the release of these tools are leveling and redefining the Nation State Actor playing field

The leaked source code for these NSA and CIA cyber tools are readily available and discussed in dark web communities. Dark Web enthusiasts on YouTube have posted downloadable videos walking their viewers through the specifics of these advanced exploits. While the US, China, and Russia continue to develop new even more sophisticated cyber weapons, other Nation-States with an emerging cyber capability can now – as a result of these leaks – have the resources and the knowledge to attack other nation’s network infrastructure and conceal the origin of the attack, further complicating the global nation station cyber environment.

The availability of such tools brings into question much of the cybersecurity’s reporting around Nation-State attack attribution. For example, in early October of this year, Microsoft reported that they had witnessed ‘significant’ activity throughout the summer against current and former US government officials, journalists covering global politics and prominent Iranians living outside of Iran. The group Microsoft is calling “Phosophorous” made more than 2700 attempts to identify consumer accounts that could prove potential entry attack vectors. The group, believed to be from Iran, indiscriminately attacked both personal and work email addresses and attacks also included attempts at infiltrating President Trump’s reelection campaign.

Recently, NSA revealed that Russian hackers from the infamous “Turla group” co-opted Iranian tools and conducted numerous attacks across industries in dozens of countries in recent months. Leveraging Iranian developed malware, Nautilus and Neuron, in combination with one of its own toolkits, called Snake, Turla obtained access to targets by scouring their networks for backdoors that had been inserted by Iranian hackers. Again, further confusion to attack attribution.

Detection of Nation-State Actors on the Dark Web

As one would suspect, Nation-State Actors are not immediately apparent on the dark web. When a Nation-State launches an operational attack on an entity, or steals critical information, it has little need or desire to put that data up for sale or otherwise dump it across anonymous networks. Likewise, governments will not announce intelligence collection or law enforcement gathering activities unless for the sole purpose of psychological diversion.

After spending the last five years archiving dark web anonymous services and interacting with the dark web community, DarkOwl analysts have identified a number of Nation-State Actors “fingerprints.” We see dark web these fingerprints as both indications and motivators associated with nation state actors use of anonymous networks.

Dark web Nation-State Actors have some key fingerprints that correlate to their motivating uses for the dark web.

a)    Nation-State Actors use the dark web to purchase and steal cyber exploits

Nation-State Actors obtain open source cyber exploits from underground markets in order to perform reverse engineering – often to successfully construct software to counter any attack where such exploit is used against a government or critical network. A key identifier of a Nation-State Actor posing as an exploit buyer is the availability of a significant budget and financial resources to acquire the goods on offer. Regular dark web users regularly discuss ‘tells’ for detecting law enforcement and/or intelligence agents on the network.

b)    Nation-State Actors obtain credentials on hostile governments and other entities of geo-political or military interest.

For example, the dark web is replete with US *.gov email addresses that could be exploited for brute force network intrusion or targeted phishing campaigns. As of the time of this publication, DarkOwl Vision detected over 550,000 dark web pages with credentials including a .gov email address.

Iran also has a significant government footprint of leaked credentials and network information, but it cannot be readily discerned whether this information was leaked by another Nation-State Actor or a team of vigilante hackers. For example, the hacker IranDokht is likely affiliated with a recent deep web paste by user slntar that included several dozen Government of Iran website admin panels for malicious targeting.

c)     Elaborate spear-phishing campaigns are not only utilized by criminals targeting corporate networks, but Nation-State Actors employ these as well for their political and militaristic agendas.

Recent reporting suggests that North Korea has successfully used phishing for obtaining access to numerous academic research organizations and critical US think tanks, using China’s model for technological advancement via digital espionage. During Operation STOLEN PENCIL, North Korea targeted Stanford University’s nuclear programs, proliferation, and polices group. Operation infrastructure overlapped with other campaigns conducted by North Korea. One of the IP addresses used in this campaign, (157.7.184.15) also hosted the domain bigwnet[.]com, which was used as the command-and-control infrastructure for the malware “BabyShark”.

Earlier this year, DarkOwl detected an Iran-based IP address (5.160.246.99) was associated with a list of UK-government domains, specifically Her Majesty’s Revenue & Customs (HMRC) in a targeted phishing campaign.

d)    Nation-State Actors have used the dark web to conduct kinetic attacks against opponent’s Infrastructure.

In 2017, Iran conducted cyber attacks against safety systems at Saudi Arabia’s Aramco, one of the largest oil producer in the world. Hackers used the Triton malware to alter one of these facility’s safety controllers, which resulted in the controller shutting down an unspecified industrial process. In 2015, Russia successfully demonstrated shutting down Ukrainian power grids during political protests. Russia is also believed to be behind a number of attacks against Irish energy networks, possibly a testing ground for exploit development planned to use against more formidable opponents.

A recent release from the US CYBERCOM suggested that the US had successfully planted covert malware in Russia’s electrical power grid to kinetically interrupt Russia’s infrastructure in the event of a future attack, e.g. 2020 Presidential election in response to Russia accessing key nuclear safety systems in 2018.

In the summer of 2019, shortly before Black Hat 2019, Microsoft has reported in April that its Threat Intelligence Center discovered a targeted attack against IoT devices including: a voice-over-IP (VOIP) phone, a printer and a video decoder. The attack hit multiple locations, using the devices as soft access points into wider corporate networks. Two of the three devices still carried factory security settings, the software on the third hadn’t been updated. Microsoft attributed the attack to a Russian group it calls Strontium, an alternate name for the group, Fancy Bear. Cyber security researchers have identified this group as APT28. A week ago, the same state-sponsored hacking group was linked to the hacking of the secure email accounts of researchers investigating crimes alleged to have been committed by the Russian state. Fancy Bear / APT28, Fancy Bear also key to ioT hacking (according to Microsoft).

e)    Nation-States use the dark web to gain political influence by doxing political opponents.

According to the Mueller report, Guccifer 2.0’s successfully breached the DNC during the 2016 campaign and the information gained was carefully released to influence the US election. Numerous doxes of various key international figures on Tor’s DoxBin. doxbwurbe475dm5i[.]onion. Also, President Trump has been extensively doxed with numerous examples from dark web services Cebolla and DoxBin.

f)      Dark Web Propaganda.

The effective use of propaganda is a key feature of a successful information operations effort. Malicious information about a political or military opponent can be leaked at critical times to influence the outcome and public opinion. The dark web contains numerous examples where government data from nations has been leaked to hidden forums and paste sites for political gain and international influence.

Similarly, the Guardian reported that it was a Saudi-cybersecurity unit that had been ordered to ‘hack’ its computer networks due the Guardian’s critical reporting of the KSA’s overt murder of Washington Post journalist, Jamal Khashoggi.

g)     One of the most basic fingerprints of the Nation-State actors on the dark web is intelligence collection.

It a widely known “secret” that key HUMINT (human intelligence) collection is conducted by Israel’s Mossad and the US CIA in dark web forums, chatrooms and internet relay chats. Agents are regularly called out and teased for their overt presence in some popular dark web rooms.

Critical US defense technology has been released on the dark web and available for intelligence collection and reverse engineering by foreign adversaries. For example, last year, US military specifications for the MQ-9 Reaper Drone appeared on the dark web for sale and was widely proliferated. Sensitive information involving the MQ-9 Reaper drone and other military documents were stolen from a US Air Force captain’s computer.

Open source reporting reveled that Israel’s Whatsapp intelligence collection tool, Peagsus, had been deployed in 45 different countries for mobile phone collection and even sold to Saudi Arabia for monitoring potential dissidents in the country in a more covert means of intelligence collection. A recent hack of Russia’s contractor, SyTech discussed an effort to de-anonymize Tor, potentially revealing the true identifies of visitors to and hosts of hidden services on the dark network.

Editor’s note: We’d like to be clear that policing and legitimate law enforcement activity in the dark web has been intentionally compartmentalized from Nation-State Actors on the dark web in this report. We have not assumed they work independently of each other; law enforcement is a critical branch of government infrastructures and more integrally involved with smaller countries with limited resources. We have however specifically chosen not to discuss ‘fingerprints’ left by law enforcement on the dark web. Law enforcement have a well-known presence on the dark web hosting honey pot hidden services such as fake markets and forums, as well as posing as dark web drug vendors on popular crypto-markets to catch criminals purchasing illegal lethal drugs such as fentanyl. There are numerous open source examples where concerted international law enforcement efforts have been conducted to take down markets and pedophilia communities.

Nation-State Proxies and Cyber Terrorism

With this ever-changing threat landscape on the dark web Nation-States are turning to proxies and levering the terrorist segment of the dark web for launching attacks and avoiding attribution. Instead of utilizing a room full of cyber-soldiers in China targeting a room full of hackers at Fort Meade (NSA) on the dark web, some Nation-States choose to leverage private “contractors” to conduct information operations on their behalf.

Russia has the most extensive collection of cyber mercenaries and private contractors for their Nation-State agenda. In late October, open-source reports from the UK suggested the National Cyber Security Centre uncovered that the Turla Group, a cyber criminal group protected by the Russia government, had hijacked an alleged state-backed Iranian hacking group, known as OilRig or APT34, and subsequently carried out attacks on 35 countries. In July, the hacking team was actively targeting US political groups, using the code string ‘TrumpTower’ which coupled with the intelligence above could infer they could be linked to the alleged Iranian Phosophorous group.

Russia’s contractors are also active inside Tor as well. Earlier this year, hackers, hiding under the name ov1Ru$ breached a Russian intelligence contractor, SyTech revealing a number of secretive programs targeting Tor anonymity programs. Posing as a malicious exit node in the Tor anonymous network, the contractor’s program called Nautilus-S was specifically setup to deanonymize Tor traffic. The contractor, working closely with the Russian Air Force service and the FSB 71330, also had a another program in 2010 called Nautilus that harvested social media data from users of Facebook, Twitter, LinkedIn and others.

Perhaps Russia is attempting to model its behavior after the United States National Security Agency’s relationship with its commercial contractors. For example, Booz Allen Hamiliton (BAH) has an integral alliance with the intelligence community with hundreds if not thousands of intelligence and cybersecurity specialists working alongside the NSA. Significant intelligence leaks from the NSA in recent history were facilitated by contractors such as Edward Snowden and Reality Winner, both had sensitive compartmented information access and active on behalf of the US government during their tenures with BAH. NSA and other critical intelligence community organizations will continue to solicit the support of contractors outside of the agency in order to fulfil their over national threat intelligence objectives.

Terrorists as quasi-Nation-State Actors, and the changing use of technology in the dark web

Global terrorism, often fueled financially and politically by certain Nation-States, have an everchanging  and often reactive footprint on the dark web – reactive to the geopolitical events and policies, as well as changing technology. Many large scale extremist organizations such as ISIS, al-Qaeda, and Lebanese Hezbolla have declared themselves “Nation-States” in their own right, replete with military resources such as cyber armies and tactical hacking teams eager to fulfil their agendas. In the west, there is widely conflicting open source reporting as to the true activities of such quasi-Nation-States within the dark web.

A few years ago, ISIS was assessed to be extensively using anonymous networks to obscure the location and identities of its members and recruits. There were also a number of easily accessible hidden services advertising Daesh-affiliated content – ISIS’s Arabic language acronym – including recruitment and terrorist propaganda material. However, DarkOwl assesses with medium confidence that dark anonymous networks such as Tor will have limited future use in overt terrorist recruitment and propaganda dissemination, but instead terrorists are demonstrating a preference for encrypted mobile applications such as Whatsapp and Telegram for organizational coordination and communication.

Last year, the Wilson Center’s Professor Gabriel Weinmann published an extensive report, detailing the reasons why terrorists will continue using the dark web and associated encryption communication protocols and technology.

[Excerpt from the report below]

1. Terrorists use the dark web to hide: Extensive monitoring of the surface web by social media companies and security officials has resulted in a faster rate of removal of extremist content from social media platforms. Correlated with this is an increased use by terrorist networks of the dark web for communication, radicalization and planning attacks.

2. Terrorists use the dark web for recruitment: While initial contact can be made on surface web platforms, further instructions are often given on end-to-end encryption applications such as Telegram on how to access jihadist affiliated websites on the dark web.

Despite this, DarkOwl continues to observe some terrorist groups, such as Jaish-e-Mohammed use the dark web to actively recruit female fighters after seeing ISIS success using jihadi-brides as fighters in Iraq and Syria.

[Excerpt from the report continued below]

3. Terrorists use the dark web as a reservoir of propaganda: The removal of extremist and terrorist content from the surface web increases the risk that material of terrorist organizations may be lost. Much of this content later resurfaces on the dark web.

4. Terrorists use virtual crypto-currencies to evade detection and to fundraise: Terrorists, like criminals, use cryptocurrency because it provides the same form of anonymity in the financial setting as encryption does for communication systems.

According to a dark web news outlet, at the end of 2017, researchers witnessed a surge in ISIS fundraising, specifically donations-devoted sites encouraging Bitcoin donations, confirming that ISIS cyber terrorist have awareness of the risks of financial transactions monitoring. At this time, there is no indication in DarkOwl’s database that ISIS related terrorists are intentionally washing coins to evade investigative BlockChain analysis.

There are current very limited easily discoverable ISIS or formalize terrorist group hidden services on the dark web. DarkOwl has some cataloged content from when ISIS was more active on Tor anonymous network. An example is the “Cyber Kahilafah,” an effective hacking arm of the Islamic State, who in 2016 were extremely active on the dark web posting ISIS associated content such as videos and propaganda educational material. Some dark web forums suggested these were a state-run honeypot by Western governments. Note the crawl date of content listed in Darkowl Vision result below.

Due to extensive efforts by international alliances in the “war against terrorism” there are a few terrorist groups with the infrastructure and organizational strength to coordinate widely via anonymous networks.  In 2016, the international vigilante hacker group Anonymous conducted attacks against suspected members of ISIS across the dark web posting contact information for its members (email addresses social media accounts) and surface websites of its supporters, specifically Nasher Islamic State (@nashirislamicstateEN). Anonymous attacks against ISIS continued into 2019 with more Daesh/ISIS member’s social media and personal information shared across multiple deep web paste services.

Such independent targeting of terrorist on the dark web continues, with content posted as recently as late September 2019 detailing the possibly geolocation coordinates of suspected ISIS leader, Abu Bakr al-Baghdadi. The dark web post closed with “ENJOY CIA” as if such information could then be used for operational targeting by the US intelligence community. Abu Bakr al-Baghdadi was killed in a US-led Special Forces operation exactly a month after the dark web posting. The coordinates pasted to the dark web do not correlate to Idlib, the location of the ISIS leader’s compound and  subsequent death by US security forces.

With on-going conflicts against terrorism in countries such as Syria, Iraq, Afghanistan, Yemen, and the Gaza Strip, the number of “splintered” groups is growing, especially with recent calculated attacks Turkey conducted against Kurds along the Syrian-Turkey border. There exists various imagery on Tor including videos of beheadings and executions conducted in Yemen by ISIS soldiers.

Such conflicts have caused most ISIS affiliated terrorists to shift to encrypted communication protocols such as WhatsApp and Telegram. A deep web post from July, 2019 also hinted that ISIS recruitment was even occurring in private Discord channels; Discord is a proprietary VoIP communications platform favored by the video gaming community and deep web criminals.

After Facebook acquired the popular mobile app, WhatsApp, a concerted movement to the mobile Telegram application occurred. ISIS on Telegram is growing in popularity with regular videos, pictures, links, and propaganda content despite community perception that Telegram is strict on child pornography and terrorist content posts.

A Discussion Worth Continuing

Nation-State and Nation-State-sponsored threat cyber actors are resourceful, employing a mix of open source and dark web assets to complete their key information operations missions. Cyber combatants, state-sponsored proxies, and teams of mercenaries utilize the dark web to conduct intelligence collection and source development, government and corporate espionage, cyber exploit development and testing, disinformation operations for geopolitical influence, infrastructure disruption, and financial gain. While unique Nation-State ‘fingerprints’ are identifiable in some dark web use cases, the public release of cyber weapons previously belonging exclusively to the NSA and the CIA have offered formerly less-powerful nations the ability to reframe themselves as power players, gain influence that was previously unattainable to them, and obfuscate the origin of their cyber attack, further befuddling attribution for cybersecurity researchers.

Global terrorism, frequently fueled financially and politically by specific Nation-States, have an unpredictable and often reactive footprint on the dark web – reactive to the geopolitical events and policies, as well as changing technology. Terrorists’ adaptability has them shifting away from the dark web to end-to-end encrypted proprietary protocols such as Whatsapp and Telegram where they can recruit, strategize, and disseminate propaganda anonymously.

As Nation-State Actors, cyber-proxies and terrorist organizations continue to evolve in the use of the dark web and anonymizing technologies, the cybersecurity community must be vigilant to continue the conversation on intelligent identification and adaptive tracking of their everchanging tactics, techniques, and communication preferences.

Annex

DarkOwl has compiled the following analysis to help contextualize the power ranking of select nation’s cyber capabilities.

UNITED STATES

The US is plentiful in manpower, skill, finances, and international influence. The total number of cyber-soldiers employed by the US is well into the tens possibly hundreds of thousands with the recent decoupling of US Cyber Command (CYBERCOM) from the NSA and standing up its affiliated Department of Defense (DoD) branches, such as Army Cyber (ARCYBER) and Navy’s FCC (Fleet Cyber Command). The US also leads in technical skill development and international influence spearheading numerous global cyber initiatives both in the dark and surface webs. This week, the public learned that the US has solicited assistance from Montenegro, deploying an elite cyber team to collaborate and coordinate with in order to predict Russia’s imminent influence on the US’s 2020 presidential election.

CHINA

China extensively uses the deep web for espionage and intelligence collection activities. While China blocks the use of Tor to its citizens, the government regularly employs the technology’s anonymity for its sophisticated PLA Unit 61398 to target US military defense technology and intellectual property. China is also clever enough to identify the key military defense industrial contractors for targeted network attacks to collect designs, documents, and administrative details of critical export-controlled technology.  This summer, China-based hackers were discovered steering a large-scale cellular espionage campaign targeting 10 different mobile carriers around the world. The access realized could be leveraged to launch a future large-scale attack against cellular phone and data infrastructure. The elaborate campaign could have been orchestrated in retaliation for the on-going global 5G arms races and the US’s crackdown on China’s telecommunications provider, Huawei, restricting its 5G development activities in the West.

Since 2015, state-sponsored cyber PLA unit 78020 has also been involved in large-scale military, political, and economic cyber espionage in the resource-rich South China Sea area. The elaborate espionage campaign involves an intricate domain network of resources including IP addresses situated in the Denver, Colorado area according to an in-depth intelligence report published by Threat Connect, Inc.

RUSSIA

As apparent from numerous media and FBI inditements in recent years, Russia’s government and intelligence services have deeply penetrated the dark web conducting numerous large scale Nation-State campaigns against targets all over the world. Attacks regularly include the US and its western allies in what could be perceived as an all out cyber war, demonstrating a wide array of advanced technical cyber capabilities. Researchers at the Department of Defense Cyber Strategy struggle to quantify the exact number of cyber specialists available for Russian cyber campaigns, but there are reports of a number of elite dedicated operational hacking units, including 26165 and its sister unit 74455 affiliated with the hack against the Democratic National Convention and the GRU’s elaborate hacking campaign to influence the US election. Russia is also infamous for its use of cyber proxies, hiring advanced non-government affiliated cyber criminal organizations to conduct APT attacks on their behalf.

ISRAEL

Israel is a highly secretive and influential Nation-State Actor. Unit 8200, Israel’s elite cyber spy organization is comparable to NSA with a more focused and calculated operational agenda. Unit 8200 is augmented by a number of other highly technological units with the Israeli Defense Force (IDF). Conflicting source reporting eludes to a potential dedicated Israeli Cyber Command, but those capabilities may have been distributed amongst the IDF’s various telecommunications divisions at present. Former Unit 8200 personnel have also been hired by Israeli cyber corporations to implement Israel-sponsored covert activities in dark web operations that require more legal freedom and less international scrutiny.

GERMANY

Germany, the UK, and France all have sophisticated cyber capabilities. Germany has recently established its own Cyber and Information Space Command (CIR) with over 13,000 personnel assigned to ward off network intrusion attacks and disinformation campaigns. Germany law enforcement also leads in state-level dark web footprint actively participating in taking down several prominent cryptomarkets and drug vendors in recent years. (Source)

UNITED KINGDOM

Recent reporting that hackers from the United Kingdom infiltrated Russia’s Turla Group highlights the sophistication of the UK’s capabilities. GHCQ has doubled its capabilities from 2014, delivering full-spectrum capabilities from tactical to high end counter-state offensive cyber operations. https://www.cbronline.com/news/uk-cyber-warfare-gchq. With the UK’s NHS  as a principle victim to WannaCry in 2017, the UK is positioned to not only defend itself from future attacks but counter-attack when needed.

UKRAINE

Ukraine was originally not considered a prominent Nation-State Actor worth including in our analysis. In the past, Ukraine’s cyber capabilities centered around organized crime and the dark web carding community. Given the most recent media reports featuring Ukrainian government and businessmen of interest and their influence in US election politics, Ukraine’s “influence” on the international stage is notable. This “influence,” coupled with Ukraine’s persistent war with Russia over the annexation of Crimea, including defending against Russian cyber attack against Ukraine’s electricity infrastructure, places Ukraine in the top 10 Nation-State Actors in the cyber domain.  Consideration for Ukraine at the last minute also demonstrates how rapidly and drastically conditions can change in this environment.

FRANCE

In early 2019, France published its new French Military Cyber Strategy consisting of two separate documents: the Ministerial Policy for Defensive Cyber Warfare (hereafter the Ministerial Policy) and the Public Elements for the Military Cyber Warfare Doctrine (hereafter the Public Elements). France has significant influence in the EU and NATO organizations making up for what it lacks in human capital for the cause. (Source)

IRAN

Iran leads in Middle Eastern countries (other than Israel) as a major Nation-State cyber actor. Iran’s Cyber Army has been a formidable threat for over a decade targeting a variety of western defense and commercial networks. After the United States successfully infiltrated and shutdown their nuclear centrifuge system via the Stuxnet virus, Iran invested heavily into developing the skills and resources to hold their own on the international cyber stage. They also operate heavily in a ‘proxy’ configuration, where they collaborate with other smaller Nation-States to share technology and resources. It is assessed that any Nation-State-level cyber attack from Iran could be conducted with the aid of countries such as North Korea, Syria, and Yemen.

Iran has also been known to collude with terrorist organizations such as Hezbollah and private hacking groups. By training private hackers and rogue terrorists, possibly without clear direction and operational boundaries, Iran could be key in orchestrating the next global cyber-war.

NORTH KOREA

North Korea has claimed responsibility for a number of large-scale attacks against international baking infrastructure in response to international economic sanctions levied against them for their resistance in ceasing their nuclear programs. According to open source intelligence reporting, North Korean hackers have successfully deployed a new ATM malware, called ATMDTrack that records and steals banking data from cards inserted in vulnerable ATMs in India. ATMDTrack is assessed to be a component of a much larger DTrack malware family that involves not only command and control remote access trojan (RAT) software, but keylogging, retrieving browser history, gathering host IP addresses, information about available networks and active connections, listing all running processes, and listing all files on all available disk volumes of the victim machine.

INDIA

In 2018, India established the National Technical Research Organisation as the main agency for protecting national critical infrastructure and to handle all the cybersecurity incidents in critical sectors of the country. Aside from cyber attacks from Pakistan, India faces attacks from other key malicious Nation-State Actors, as mentioned above with North Korea’s attacks of India’s banking infrastructure. Recent conflicts in Kashmir increase need for a defensive posture from vigilante hackers supporting the Kashmiri people.

CANADA

In 2018, Canada passed comprehensive legislature to empower Canada’s Communications Security Establishment (CSE) for effective offensive cyber operations. The sweeping Bill C-59 positions the CSE (the Canadian NSA) to take a more “active cyber” posture as opposed to its previous defensive and reactive position. The legislation calls for the CSE to “carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defense or security.” Canada will not stand alone in the world stage in cyber, but have the resources and parliamentary backing to influence, protect and defend Canadian infrastructure from Nation-State attacks.

Keeping current and making sense of recent news surrounding Darknet Marketplaces is a challenge for even the most active and engaged Tor enthusiasts. In this blog, DarkOwl analysts dive into the latest dark web market exit scams, the recent, widespread law enforcement operations and their impact, and how cryptomarkets will continue to be a significant segment of darknet hidden services available to underground and would-be criminals.

Below is a timeline of the primary events leading up to, and resulting from the recent turbulence surrounding many darknet marketplaces.

April, 2019

Dream Market Announces Closure & Never Returns

In late March 2019, Dream Market, one of the oldest cryptomarkets announced that it would be ceasing its current operations on 30 April 2019. The announcement was made by the developer and admin, known as Speedsteppers. The statement also mentioned an eventual re-branding as a new Tor hidden service and address. For over a year, Dream Market had suffered from extraordinary DDoS attacks resulting in over 600+ mirror links circulating around the dark web for the marketplace.

In early April, Europol confirmed a significant multi-national darknet drug operation resulting in 61 arrests and the confiscation of 50 dark web accounts used for illegal activity. Along with the agents from the Federal Bureau of Investigation (FBI), U.S. Drug Enforcement Agency (DEA), and Canadian Police, Europol law enforcement officers executed 65 search warrants, seized almost 300 kg of drugs, 51 firearms, and over €6.2 million Euros ($6.95 million USD) of cryptocurrency, cash, and gold. Given Dream Market’s prominence in the dark web community, it is a reasonable assumption that some, if not many, of these arrests were vendors active on Dream. Although there is no mention of Dream Market in the Europol report, it’s well known the market place has been a target for law enforcement for some time.  Further, the aforementioned new Dream Market onion addresses have had no activity. 

Immediately after the announcement, rumors circulated across popular dark web forums about the Dream Market closure being led by law enforcement or an inside exit scam. In April, many users had issues withdrawing money from their Dream Market wallets. Some moderators scammed vendors via support ticket notification, informing the vendor that funds withdrawal can be restored only after the vendor supplies their password and last used bitcoin address.

DarkOwl covered the details of Dream’s less than graceful shutdown in “Insider Report: Darknet reacts to Dream Market announcement.”

While it’s unknown whether or not law enforcement infiltrated Dream Market’s servers directly, two independent cyber security researchers circulated detailed analysis revealing some very specific details regarding Dream Market’s admin, SpeedSteppers, de-anonymizing him as Mark DeCarlo based on the domain registrations for several surface websites, one specifically shared in 2018 with Dream users contained a link to a clearnet forum called deepwebnetwork.com. [Source1, Source2]

On a hidden service popular with “doxxers”, an anonymous hacker briefly posted an IP address for Dream Market. When accessed directly using the leaked IP address, the Dream Market login screen is available along with familiar Tor network addresses listed on the left sidebar of the page.

Figure 1 Direct Access to Dream Market via Leaked IP Address

Given the report on SpeedStepper was published in January, the weird behavior of moderators trying to scam vendors, along with an inactive URL for “Dream’s Partner” it would not be surprising if law enforcement infiltrated Dream Market months ago and operated it similar to the shutdowns of Alphabay and Hansa as led by the Dutch National Police in the summer of 2017.

Figure 2 Source: Dread Forum on Tor (/post/52f54402d99bd51d4b74)

Wall Street Market Exit Scams Then BKA Announces Seizure

As one would expect, Wall Street Market (WSM) surged in popularity almost immediately after Dream’s announced shutdown. Most every social platform recommended vendors and potential buyers move to WSM and/or Empire to conduct their online market business.

Figure 3 Dread users discuss WSM as the Dream alternative for trading.

In late April, peaking at an estimated 5,400 vendors, 1.15 million customers, and well over $10 million in cryptocurrency, WSM admins conducted a classic darknet “exit scam.” The estimated market value is totaled somewhere between $11 and $15 million USD. The three admins diverted these funds into their own crypto accounts while claiming the market was in “maintenance mode.” All the while unaware that law enforcement was secretly monitoring their accounts.

In the midst of the exit scam, one of the site’s moderators, Med3l1n, clearly angry over the exit scam, began blackmailing WSM vendors and buyers, asking for 0.05 bitcoin (at the time ~$286 USD). They threatened to disclose to law enforcement the identities of WSM vendors and buyers which made the mistake of sharing various personal details in support tickets in an unencrypted form.

It is unclear if these extortion attempts succeeded, but days later, Med3l1n also published an IP address for a server located in the Netherlands and login credentials for the WSM backend on a popular darknet forum knownas Dread. Further, they invited nefarious actors to take down the market.

The IP address is in the same network range of another IP address that leaked from the Wall Street Market backend two years ago. Although the authorities discovered the address of the server in other ways, according to public affidavits.

Within days, Med3l1n, identified as Marcos Paulo De Oliveira-Annibale, 29, of Sao Paulo, Brazil, was arrested by German authorities along with the three market administrators, all from Germany:  

• Tibo LOUSEE (coder420), 23-year-old from Kleve, Germany;

• Jonathan KALLA (kronos), 31-year-old from Wurzburg, Germany;

• Klaus-Martin FROST (theone), 29-year-old from Stuttgart, Germany.

All three face charges in both Germany and the United States after a series of missteps in their operational security led authorities to their IP and physical addresses. The market seizure and arrests were a culmination of a two-year investigation involving agents from the DEA, the FBI, the U.S. Internal Revenue Service, the U.S. Homeland Security Investigations, the U.S. Postal Inspection Service, the U.S. Department of Justice, the Dutch National Police (Politie), Europol, and Eurojust.

During the investigation, authorities discovered the admins also operated darknet marketplace, German Plaza Market (“GPM”), which launched sometime in early 2015 and shut down due to an “exit scam” in approximately May 2016. Agents successfully correlated wallet addresses for GPM with those of WSM in the investigation connecting the administrators.

Law enforcement obtained one of the administrator’s home IP address, correlated to and registered in the name of the suspect’s mother, through a cooperating VPN provider he used. The IP address was used to access certain administrator-only components of the WSM server infrastructure. KALLA later admitted that he was the administrator for WSM known as “Kronos.”

As a point of technical interest, the complaint filed with the US District Court in California included a footnote that the US Postal Service was responsible for the blockchain transaction analysis for FROST, and “de-mixed” the flow of transactions to ascertain that the monies from two different wallets ultimately paid FROST’s account [Source]. Researchers from Korea University published a paper in May 2018 outlined a de-mixing algorithm that could identify the relationships between the input and output addresses of the popular dark web mixing service called Helix with a 99.14% accuracy rate [Source].

Another administrator accessed the market IP address to connect to the WSM infrastructure using a device called a UMTS-stick7. This device is a USB-powered modem for remotely connecting to the internet. This UMTS-stick was registered to a suspected fictitious name, and the BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. The UMTS-stick was active at a residence of LOUSEE in Kleve, Northrhine-Westphalia (Germany), and at a local information technology company, where LOUSEE was employed as a computer programmer. LOUSEE was in possession of the UMTS-stick of interest upon arrest.

The PGP public key for “TheOne” is the same as the PGP public key for another moniker on Hansa Market, “dudebuy”. Interpol and Dutch police shutdown Hansa darknet market in July 2017, as part of Operation Bayonet. A financial transaction connected to another crypto-wallet used by FROST was linked to “dudebuy”. Investigators identified a wallet used by FROST that subsequently received Bitcoin from a wallet used by WSM for paying commissions to administrators. Records obtained from the Bitcoin Payment Processing Company revealed buyer information (connected to Hansa Market, seized in 2017) for a Bitcoin transaction as “Martin Frost,” using the email address [email protected]. A second link connecting FROST to the administration of WSM is based on additional Bitcoin tracing analysis.

May, 2019

Finnish Customs Seizes Valhalla (Silkkitie)

During the same week reports of WSM’s collapse surfaced, Europol released an official statement that Finnish customs (Tulli) in close cooperation with the French National Police (La Police Nationale Française)seized Valhalla, also known as, Silkkitie sometime earlier in the year. The report did not mention many specifics, other than Finnish federal authorities have the entire Valhalla server and its contents, along with a significant drug confiscation. DarkOwl Vision indicates the marketplace went offline sometime in early March.

The May 3rd Europol report stated:

“After the Silkkitie (Valhalla) site was shut down by the authorities, some of the Finnish narcotics traders moved their activities to other illegal trade sites in the Tor network, such as Wall Street Market”

..suggesting the potential for international law enforcement’s concerted attempts to funnel users to a targeted market for takedown.

Valhalla marketplace was one of the oldest markets on the dark web, listing over 30,000 products by some statistics. Its activity started in October 2013 as a Finnish-only site called Silkkkitie.

FBI Targets Deep Dot Web

On the 6th of May, two DeepDotWeb (DDW) administrators were arrested facing charges of kickbacks by earning millions in commission by referring users to specific darknet marketplaces. The seizure of DeepDotWeb alarmed the dark web community as it did not host any illicit content directly, but instead provided paying users with indexed and catalogued access to dark net market hidden service URLs – complete with ratings and reviews. DDW admins received money for registrations using the referral addresses hyperlinked. Authorities claim that DDW administrators made millions of dollars using this criminally innovative ‘picks and shovels’ approach to illegal online trading. Coincidently, while DDW was being shutdown, popular dark web community forum, Dread experienced heavy DDoS attacks and was unable to support logins for over a week, causing many to suspect it too had been compromised. DarkOwl analysts speculate that Dread’s DDoS was intentional to prevent vendors and buyers to coordinate on interrupted sales and illegal trading.

Figure 4 Source: https://www.europol.europa.eu/newsroom/news/deepdotweb-shut-down-administrators-suspected-of-receiving-millions-of-kickbacks-illegal-dark-web-proceeds

CGMC Disappears Overnight

On or about May 10th, 2019 Cannabis Growers & Merchants Co-op(CGMC), silently disappeared without notice. At first, users claimed the market had completed an exit scam as they had lost the ability to withdraw funds, contact support, and initiate the process for a refund. It was later determined that the admins, Marko and Rory, felt pressure from the WSM and DDW seizures that it was time to gracefully leave the business. On the night of the self-shutdown, admins cancelled all pending orders and returned funds to the customer, released all escrow and cash to the vendors. Days after the shutdown, a signed PGP message from Rory asked for the community’s positive vibes for their services and customers joked about seeing them stroll on the beaches of Seychelles.

Users across other darknet communities scrambled to find their favorite vendors as this was all about the same time Dread was under DDoS and inaccessible for coordination. Many darknet vendors reposted their PGP signatures and offered to continue to serve customers without the markets, trading directly with their previous customers via encrypted communications.

One CGMC vendor shared:

The sellers are in the same situation, but I can confirm:
1. All the escrow was released and cashed (the money went to my wallet)
2. Pending orders the money was returned to the customer
3. All orders from Monday to Thursday are sent
I do not think it’s an exit scam, I think it’s a problem with the website and they’re working on fixing it.
If the market were to close Marko would have warned. Let’s wait a few days to see what happens.
If the situation is not fixed open store in another market. Please, if any of my clients reads this message, verify that the PGP is authentic.

June 2019

Libertas Moved to I2P Then Shutdown due to Inactivity

In late May, Libertas, a Monero-only marketplace, moved its hidden service marketplace from the Tor network to the peer-to-peer-based I2P network, citing “flaws in the Tor network” as justification. They also referenced an unconfirmed Tor vulnerability that international authorities have used to reveal hidden service’s real-world IP address. Libertas provided detailed instructions for its users to successfully setup I2P within Tor Browser to access this faster and hopefully more secure version of its marketplace.

Libertas has historically been one of the most unique cryptomarkets in the dark web, being one of the first ever to only accept Monero instead of Bitcoin like other marketplaces. In their market announcement over a year ago, Libertas admins suggested that Monero was the “only real way to make anonymous transactions online” including the many ways they ensured the security of the servers supporting Libertas darknet market.

Figure 5 Libertas Original Welcome Message on their Market Forum

On June 19th, less than a month of operating on I2P, Libertas admins announced they were shutting down until further notice, due to the lack of use of I2P. They reaffirmed their belief that all Tor network-based hidden services which are allowed to operate are law enforcement sting operations.  

Other Tor users have discussed migrating to I2P and encouraged other marketplaces to do so in forums and discussion boards, suggesting that Tor is neither safe nor robust enough from DDoS attacks to host large-scale crime-focused services. Unfortunately, the complexity of setting up I2P has discouraged its broad-based use on scales comparable to the Tor network.

Today: What Market Places Are Still Operational?

Empire Market

Despite its legacy and familiar user interface dedicated to the late Alex Cazes from AlphaBay, Empire recently has been under heavy DDoS causing it to surge in mirror link generation to mitigate. DarkOwl has knowledge of 135 unique V2 and V3 addresses for the cryptomarket, but believes that over 30% of those could be phishing addresses. In recent weeks, Empire forums have been bombarded by hundreds of complaints that account wallets have been consistently scammed, even after verifying links as legit. RapTOR directory services alleges that Empire has indeed exit scammed and any working links will lead to currency loss.  The dark web community is contentious over the lack of support from staff and instability of the market.

Empire’s head moderator se7en claims most of the complaints are from customers using “phishing” market links instead of verified ones, but the tune is all too familiar to the behavior of other markets. Empire recently added two-factor authentication (2FA) as an additional security protocol, but a former Empire-mod posted a detailed paste on how easy the 2FA is bypassed, stating “the end user is always the weakest link to a system,” in a recent report by DarkNetLive.

Tochka / Point

With recent market confiscations, Tochka (Point) could now be considered one of the oldest operational darknet cryptomarkets as it started in early 2015 emphasizing a “community-like” culture with classified advertisements and low vendor registration requirements.

Unfortunately, in early June, many users reported that the marketplace was a complete scam with numerous orders, wallets, and accounts deleted in recent weeks. Comments on a forum suggested that the Tochka had suffered a server crash in early June resulting in the loss of several transactional records and to contact the moderators active on Dread for assistance. Unfortunately, this week, Dread has also been under heavy DDoS and users are unable to submit complaints or receive technical support.

Other dark web markets worth mentioning

• Genesis – Javascript required market with increasing popularity due to recent news coverage. Online and active.

• Dark Market – Appeared in May 2019 with admins Sassy & Dark. Now accepts Monero and primarily trades in digital goods (over 1000 listings).

• Luna – Marketplace that required wallet registration for non-vendors and offered Monero and “locktime” to secure transactions. Offline as of early June.

• Core – Offline in mid-June after heavy DDoS attack.

• Cryptonia – Typical dark web cryptomarket experiencing heavy DDoS in recent weeks. Admins pride themselves on their market manifesto that states their movement will never be corrupted by greed. Online and active.

• Berlusconi – Recently added Multi-Sig wallets and states that they will no longer offer weapons & explosives by the end of June.

• Nightmare – Experiences regular periods of heavy DDoS. Recently redesigned and returned with new UI and “dark mode.” One of the largest active markets with 65,000+ users, 3,000+ vendors and more than 50,000 listings.

• Rapture – Rumored to have been built on the source code leaked from Trade Route. Many users thought Rapture exit scammed in late 2018, but returned recently stating they were under heavy DDoS. Offline as of time of writing.

• Agartha – Similar design to the Agora Reloaded Market that exit scammed. Online and active with no complaints.

• Apollon – Typical dark web cryptomarket operating since 2018. Possibly connected to former RAMP shop. Surge of users (over 40,000) due to Dream announcement.

• Enterprise – Brand New as of June 2019. Operational but very few listings.

• Deep Mart – Appeared in early 2019. Believed to be a scam market based on reviews.

• The Majestic Garden – In May, TMG moved to only V3 Tor URLs and registration is closed due to surge of registrations after Dream announcement. Online and serving customers.

• Nirvana Market – Brand new market as of June 2019.

• Canazon – Features primarily drug vendors. Operational since 2018. Online and active.

• Silk Road 3.1 – Operational and now accepts Monero. Online and active.

• UnderMarket 2.0 – Market featuring counterfeiting and fraud items. Javascript required for some portions of the market. Online and operational.

• The French Connection – One of the oldest operating markets (over 5 years). Does not ship to the US. Online and active.

• Yellow Brick Road – Invite-only market by vendors. Online and operational.

Since 2019, DarkOwl Vision has knowledge of and successfully crawled over 3,000 dark web cryptomarket addresses — over 1800 of them in the month of June due to heavy DDoS mitigation. Libertas administrators expressed legitimate concerns about Tor’s vulnerabilities to DDoS and host IP address exposure, apparent by the crippling DDoS attacks on many of the markets and critical community forums like Dread market.

While many of the historically active markets have voluntarily closed their doors, it is evident by the introduction of multiple markets in recent months, along with the surge of customer and vendor registrations well exceeding thousands of users, that the criminal darknet market community will not be deterred by international law enforcement operations and will resort to direct encrypted communications with their suppliers if necessary.

Update (7/2/2019)

After allegedly negotiating with would-be DDoS attackers, it would appear that Dread market is back online…for now. Check back here for continued updates as our analysts uncover more information. 

The market segment of the dark web is the most volatile and dynamic of all types of hidden services available. The status of any of the markets mentioned in this report can change without any notice. This report only covered the status of English-speaking marketplaces and a follow-up report covering non-English cryptomarkets, such as Russia’s MEGA, will be published in the near future. Please continue to check back for updates.

In our previous Russian darknet focused blog post, we discussed some of the tools and techniques the Russians were discussing and using in offensive cyber operations against US and international organizations. Russian criminals are also notorious for selling malicious software, e.g. digital goods, on darknet marketplaces that could be used in an attack against government and corporate networks and infrastructure, e-mail lists for phishing, along with a myriad of illegal drugs and counterfeit.  

A Historical Look Back

RAMP Landing Page (image sourced from Google images search)

Russia’s presence on the Tor network is most well-known for the historical darknet forum & marketplace, RAMP — Russian Anonymous Marketplace — which was reportedly seized last July after a surprising effort by the Russian Ministry of Internal Affairs-which historically has turned a blind eye to online crimes.

Coincidentally, the RAMP marketplace, active since September 2012, shut down around the same time as international authorities conducted Operation Bayonet, shutting down key centralized Tor marketplaces Alphabay and Hansa, amid concerns about possible law-enforcement’s use of denial of service attacks to expose the real IP address of the marketplace.

What Happened to the RAMP Community?

Similar to the after effects of shutting down AlphaBay and Hansa, the RAMP marketplace closure caused little disturbance to the Russian segment of darknet cryptomarkets. RAMP vendors successfully shifted to other key marketplaces while a hidden service called Consortium attempted to create an “ex-RAMP Verified Vendor Community” specifically for reconnecting with known verified RAMP vendors. DarkOwl Vision has successfully archived over 9,000 results from Consortium’s hidden service domains. Consortium was formed in late 2017 shortly after the RAMP marketplace closure, and active through May 2018. The Consortium hidden service featured 15,000 users, including more than 100 verified RAMP dealers who confirmed their identity with a PGP key. This archive provides an excellent investigative referential database for prominent darknet vendors and their aliases.

Hydra

When RAMP disappeared, legendary Russian marketplace, Hydra witnessed an increase in user registrations and vendor activity while and near clone of RAMP, called MEGA surfaced only earlier this year.

Hydra has been an active darknet marketplace catering to the Russian Tor community since the Silk Road days. It resurfaced with a new Tor URL in the summer of 2016, less two years after law enforcement claimed it had arrested and charged the 26 year old market admin and Hungarian resident in November 2014 as part of Operation Onymous. Hydra is a centralized marketplace featuring many individual vendor-shops similar to RAMP with offerings including drugs, digital goods, and even mobile phone SIM cards.

Hydra prefers serious Russian drug vendors, only allowing sellers who are willing to pay “rent” for their shops and requiring a monthly payment of over $100 USD for use of the service. This reduces the likelihood of vendors who are actually scammers or law enforcement utilizing the site for entrapment and exploitation.

Offers of Mobile SIM and Debit Cards on Hydra (http://hydra23qk4ar6ycs[.]onion)

MEGA

MEGA has a wide range of illicit drug offerings in their market catalog including items ranging from marijuana to opiates with delivery across the Eastern Slavic language countries of Russia, Ukraine, and Belarus. Similar to other anonymous centralized markets, MEGA also supports vendors selling digital goods such as databases, carding and counterfeit related products, and ready to use hacking software. MEGA features a hidden service layout very similar to RAMP, with over 200 links to unique vendor shops from the landing page and many of the same drug vendors that once traded on RAMP also advertise on MEGA.

For example, one drug vendor on MEGA who uses the moniker, Aeroflot openly states in their MEGA vendor profile that they were also active on RAMP. Cross referencing the nickname against DarkOwl Vision revealed that Aeroflot also has their own personal vendor Tor hidden service where they offer popular drugs such as amphetamines, hashish, and psychedelic mushrooms directly without the marketplace interface. The Aeroflot vendor shop was first indexed by DarkOwl Vision in January 2018.

Surprisingly, there is little information on the surface web about Russia’s MEGA marketplace, as most open source darknet cryptomarket reporting features Hydra instead.  Despite this, MEGA also has a Clearnet proxy of their site via the website URL http://www.mega2web.com.

Both MEGA and Hydra hidden services emphasize trusted vendor-buyer relationships before the market will facilitate the crypto-transaction and goods exchange. For example, on Hydra, before an order from the buyer is processed, the vendor and buyer must communicate and trust each other. The market even offers a “transaction chat” platform to communicate securely about the order. The classical process for browsing, selecting, and ordering a product on the platform are used to communicate to the vendor that you intend to buy from them, referred to on Hydra as a “reservation.” The vendor’s confirmation and order approval are required before payment for the item is disbursed and shipping commences. This approach theoretically reduces the likelihood of scamming and law enforcement operations.

Hydra’s formidable return after such a large-scale joint-international law enforcement effort seizure and vendors trading on the RAMP clone-MEGA reinforces theories that shutting down darknet markets only yield a mild, temporary deterrent effect on the affected darknet community and does not have near the impact the media conveys. This supports arguments from social scientists, Décary-Hétu and Giommoni in October 2016 after analytical review of the effectiveness of police crackdowns on cryptomarkets where they stated:

Police crackdowns, as is the case for traditional drug markets, are not effective measures to lower the volume of sales on online illicit drug markets. Cryptomarket participants have been shown to have a minimal reaction, or one that is temporary, to overtly large shows of force and to have the ability to adapt through displacement techniques.

Darknet Forums that Include Marketplace Features

There are a number of Russian-specific forums and bulletin boards across the Darknet.  DarknetMarkets.co advertises Russia’s Wayaway forum as one of the oldest darknet marketplace, available since 2009, while the Tor hidden service title translates to “First Drug Forum.” Unlike centralized markets, Wayaway presents contents in a bulletin board layout with a range of topics, mostly drug-trafficking in nature, such as Shipping in Russia, Trade with CIS (Commonwealth of Independent States) Countries, Jobs, and Laboratory, where questions regarding home-based personal drug manufacturing are answered.  Hydra is listed as a Wayaway Partner on the forum’s footer along with Hydra logos, market links, and various digital advertising scattered across the forum. Wayaway serves also a gateway to Russian darknet drug vendors with a large section of the forum dedicated to connecting site visitors with individual drug vendors (i.e. “Trusted Stores in Russia”) including customer feedback and a question and answer section on transacting and shipping related concerns.

Wayaway topics have thousands of views and hundreds of comments indicating the forum serves as a high-volume resource for the Russian Tor community. Many of the most active users on Wayaway also trade in other drug and illegal goods forums on Tor.

RuTor

Another popular Russian forum and marketplace on Tor is RuTor. RuTor has been an active Tor hidden service since 2015 and has quickly established itself as a reliable information resource for Russian hacking, darknet education, and project collaboration. RuTor’s landing page has several distracting advertisements at the top of the site similar to the previously popular RAMP marketplace.

Utilizing a bulletin board format similar to Wayaway, RuTor has established sections for Vendor Shop Fronts, Security, and News. The cryptomarket portion of RuTor is tightly controlled by the site administrator who must be contacted before submitting a deposit in a user’s market wallet.  Most centralized marketplaces have an automated system for all market crypto-wallet deposits and withdrawals. RuTor has extensive threads covering cybersecurity related news, corporate data breaches, and technical tips and techniques for network infiltration and tracking.

Runion

“Protecting the interests and rights of your paranoia” is another key Russian darknet forum, Runion, or the Russian Onion Union. Runion does not have the marketplace focus, but instead covers a wide range of darknet criminal specific topics such as Operational Security, Cryptocurrencies, Weapons, Finance and Law, Breaking and entering, Psychology, Hacking as well as Substances and Health. Example threads include in-depth technical conversations around potential Telegram hacking techniques, Dismantling and Shooting an RPG-22, and modifying smartphones for increased telecommunications security.

Administered by one who goes by Zed, Runion lists over 69,000 members, almost 20,000 topics, and over 300,000 messages posted on their forum since 2012. The nickname Zed is active across other hidden services, specifically moderating other well-known Tor carding forums.

Intelligent Hidden Services

The Russian darknet marketplaces and forums featured in this article have had a persistent Tor presence for several years and many include intelligent bot-detection code to prevent automation collection of their content. Captchas, formally known as Completely Automated Public Turing test to tell Computers and Humans Apart, are often present on many of the hidden services to detect if the website user is human or not. DarkOwl Vision’s authenticated crawl routine specifically targets services containing high value intelligence with such authentication protocols. In order to successfully view the content of a hidden service that includes such bot-detection methods with Professional Tools, search the domain along with the search pod, “GROUPS->AUTHENTICATED SITES” to reduce result noise.

International media recently highlighted the perils of Russian government sponsored cyber espionage operations against US elections in 2016, and the potential risks to the upcoming US midterm election this week.

With increasing concern over the validity of the US election process, DarkOwl analysts decided a review of Russia’s footprint across the darknet could provide insight on how operations on this scale are conducted.

By the Numbers

Russia-based anonymous websites comprise over 36% of the DARKINT™ collected by DarkOwl. DarkOwl has successfully indexed over 300 million pages across anonymous and deep web networks in the Eastern Slavic language of Russian. Russian hacking and carding forums accessible from the surface web account for 92% of the deep web content in DarkOwl’s Vision. 

There are significantly more Russian hidden services in Tor than sites on i2p or Zeronet, suggesting Russian darknet users prefer Tor over i2p. Russian-language eepsites account for only 10% of the i2p content archived in DarkOwl Vision. Russian activity on the anonymous network, Zeronet is negligible.

What we know the Russians have been involved in…

Enter “Russian hacking” into any surface web search engine and you will undoubtedly receive millions of results about Russia’s malicious cyber operations ranging to undermining the US democratic election process through to targeting of the US utility grid. Most recent indictments highlighted charges against seven Russian intelligence officers with hacking anti-doping agencies who used sophisticated equipment to target the organizations’ wireless (wi-fi) network. (Source)

TargetTechnique2014-2016 Hacks Against US Utilities (Link)Compromised Network Credentials via Simply Email Phishing2016 Election DNC (Guccifer) (Link)Vulnerability with DNC’s Software Provider, NGP VANUS State Voter Registration (Link)Structured Query Language (SQL) InjectionWorld Anti-Doping Agencies (WADA) (Link)Wireless Network SniffingUS Thinktanks (Hudson Institute/ International Republican Institute) (Link)Domain Phishing

When you dig into the shadows of forums and chatrooms accessible only via the darknet, only security researchers and law enforcement are actively chatting and posting about vulnerabilities to critical US systems and infrastructure. In order to discover clues about what the Russians might be up to, one would need the keywords associated with the technical specifics of the tools and techniques required to carry out such sophisticated operations.  

Reports regarding the recent Word Anti-Doping Agencies (WADA) hacks stated the Russians employed a wireless network sniffing device installed in the back of the operatives’s car for access to the WADA networks . The hackers also used a mixture of malware including Gamefish, X-tunnel, and Chopstick code, the majority of which have been seen before and used on other Russian-linked cyberattacks. (Source)

Figure 1: Russian GRU mobile Wi-Fi attack (Courtesy of Dutch Ministry of Defense)

Figure 2: Russian forum discusses how to use such a device to intercept passwords for wi-fi networks

(DarkOwl Vision Doc ID: 536bb1af90f7d52b28430510685c1b51)

As evident by recent attacks against US thinktanks, the Hudson Institute and the International Republican Institute, the Russians are well known for their employment of targeted spear-phishing campaigns based upon a thorough reconnaissance and well-orchestrated intelligence collection operation prior to any network subversion. Spear-phishing is a type of hacking based on social engineering, similar to email phishing, but directed towards a specific individual or entity within a network or organization. A leaked NSA document revealed how offensive cyber officers from Russia in 2016 sent election officials emails with a MS Word attachment that was infected with a trojan of a Visual Basic script that would launch a program opening communications back to the hackers’ IP address.

Figure 3: Detailed Tactics, Techniques and Procedures Used by the Russians to Target US Election Officials in 2016 (courtesy of The Intercept) (Read more)

The sheer volume of compromised email credentials posted for sale in Russian marketplaces and shared on authenticated hacking forums is alarming. 103 .gov email results in DarkOwl Vision contain the phrase “election” in their domain address (*@election*.gov) and could provide a valid starting point for any of the specific state election servers.

Figure 4: Advertisement of database with 458 Million Emails and Passwords for Sale in DarkOwl Vision

In the voter registration system hack in 2016, threat actors utilized simple whitehat vulnerability tools such as Acunetix, network discovery and exploitation kits like DirBuster, SQLMap, and SQLSentinel. Russian speaking hacker, Rasputin, infamously employed a proprietary-developed SQL injection exploit to successfully breach and harvest credentials from U.S. Election Assistance Commission (EAC) servers including accounts with administrative privileges. (Source)

Figure 5: Acunetix Web Vulnerability Scanner in Action

Figure 6: Discussion of how to use SQLMap against a target network on a Russian forum

(DarkOwl Vision Doc ID: 53e19c5fbe5c7d9c6e625e668d660617)

For the past few years, millions of US voter registration data with full names, address, and voting data have appeared on offer for sale on darknet hacking forums and marketplaces. DarkOwl has observed data from over 30 states ranging from $250 to $5000 USD per state including: Colorado, Ohio, Connecticut, Florida, Michigan, North Carolina, New York, Pennsylvania, Rhode Island, Washington, Kansas, Wyoming, Oklahoma, Maryland, Arkansas, Nevada, Montana, Louisiana, Delaware, Iowa, Utah, Oregon, South Carolina, Wisconsin, Georgia, New Mexico, Minnesota, Kentucky, Idaho, Tennessee, South Dakota, Mississippi, West Virginia, Alabama, Alaska, and Texas.

Figure 7: Deep Web Forum post with Content of Arkansas’s Voter Registration Database

(DarkOwl Vision Doc ID: 6e235a3bab7e4e3f293fb2f0f57c6cae)

Many of the posted state databases are older, i.e. Alabama and Alaska’s voter registration information is from 2015; however, many of these databases were on offer back on the infamous Alphabay darknet marketplace in 2016 as well.

Figure 8: A recent offer for several US State’s Voter Lists for sale as archived by DarkOwl Vision

(DarkOwl Vision Doc ID: cfae62df845b99fc173c42bd3b529303)

In recent weeks, comments from the vendor suggests that the voting records hacker has setup persistent access to the states’ databases, posting, “Besides data is refreshed each Monday of every week, once you request the data from me you will receive the freshest possible data from that state.” The fact this data is on the darknet is no surprise, as it is publicly available, open source information. It is a surprise anyone would actually pay for access to the information they could easily obtain themselves. Links to some of the state’s databases have appeared on some darknet forums as is, without any access payment required.  

The hacker on the forum identifies themselves as a white male software engineer from the United Kingdom and “apathetic human-being” with other information that could be easily pivoted to the surface web. There is no indication he is affiliated with Russian government sponsored hackers.

Russia-affiliated threat actors and hackers, whether lone wolf or operatives of a major government-led cyber offensive, have more than sufficient tools and resources across the deep web and darknet to successfully exploit and profit from network and/or server vulnerabilities. Utilizing commercially available penetration testing resources and exploits circulated and sold on the darknet, hackers regularly infiltrate networks while completely evading detection or knowledge of the system’s administrators. Next time we will review some of the Russia-specific marketplaces and forums where these attack techniques are planned and coordinated.

Curious about something you’ve read on our blog? Want to learn more? Please reach out. We’re more than happy to have a conversation.

This week we relaunch our “Into the Darknet” blog series that will not only provide a better understanding of the darknet’s history, users, uses and purpose, but will also take an in-depth look at other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.

In this post, we take a high-level look at malware, toolkits and viruses (MTV), as they are some of the most commonly discussed, released and exchanged tools on the darknet.

Our analysts have adopted the term “MTV” to refer generally to a collection of malware, toolkits and viruses that are used to test, penetrate, exploit or compromise personal or commercial information systems and data. Common systems where MTV could be employed include desktop computers, laptops, servers, network devices, routers, firewalls, printers, WiFi adapters, tablets and smartphones.

WHAT IS MTV?

MTV is, and includes, any type of software code used either for good (information assurance) or bad (malicious) purposes, such as: Bots, Password Crackers, Rootkits, Adware, Backdoor Access, Keyloggers, Ransomware and Remote Access Trojans.

The average hacker will have some or all of these handy in his or her arsenal of tools to use against targeted information systems and will often utilize a variety of MTV in a full-fledged attack, depending on the intent of the operation.

Both penetration testing and risk analysis activities, like those conducted by the DarkOwl Cybersecurity teams, utilize these MTV tools for preventative purposes, to detect security holes which could lead to a compromised network. For example, THC Hydra (an open-source password cracking tool) can be used to test the strength of users’ passwords on private or commercial networks.

Malicious hackers, cyber spies and cyber criminals, however, can easily use this same code to exploit user accounts with weak credentials.

A brief History of MTV

The first example of malware debuted in the early 1980’s as a software video game piggyback, displaying the now-infamous Elk Cloner poem and corrupting the Apple boot sector. 

In the late 1990’s and early 2000’s, both the MTV market and the hacker community exploded with the propagation of the internet, aggressive social engineering tactics and the exploitation of spam emails for malware distribution.

By the mid-to-late 2000’s, malware like Conficker and Sinowal demonstrated how aggressively a virus can spread, and remote command and control, enabled via clandestine communication and package concealment was born.

As antivirus companies grew to counter these emerging threats, the hacker community accepted the challenge and created even more sophisticated and difficult to detect MTV.

Accessing valuable protected information

As society has become more dependent on online activity, our digital footprints, or online presences, have expanded. A lucrative market for the trade in this information existing on the darknet, with high value placed on personally identifiable information (PII), among other bits of data.

Malicious hackers and cyber criminals require a variety of MTV tools, such as network discovery tools, password crackers and backdoor access programs, in order to gain unauthorized access to key systems containing this valuable data.

These attackers establish a persistent presence via advanced persistent threats (APT) and remote access tools (RAT) to evade detection – and mitigate any IT security measures in place there to stop them.

Once connections are established and secured, hackers launch automated data mining programs to harvest valuable information, like PII, and send it to a remote server for final dissemination or leverage. 

TheDarkOverlord has resurfaced on Kickass Forum

TheDarkOverLord announces that they are officially back in business (Source)

TheDarkOverlord, one of the threat actors that DarkOwl analysts routinely monitor, has apparently resurfaced last week. In a recent series of posts, an entity claiming to be TheDarkOverlord is advertising a database of personal health information as well as user information taken from an unnamed gaming site – both of which are being offered for sale to willing buyers.

TheDarkOverlord is a hacker – or potentially a collection of personas – who regularly targets the healthcare industry, leaking thousands to millions of patient records.

TheDarkOverlord claims to have hacked “several medical practices”

In the post (pictured below), TheDarkOverlord advertises that they have over 67,000 patient records for sale, stolen from medical and dental practices in California, Missouri, and New York.

The forum listing advertises that these databases include personal and health information including full names, physical addresses, phone numbers, DOBs, driver’s license numbers, SSNs, medical histories, and much more. A specific price point was not provided; rather, the prices are “negotiable.” Interested buyers were instructed to send TheDarkOverlord an encrypted message using the forum’s private messaging system.

TheDarkOverlord also states that they’d be willing to entertain higher offers for data that “no one else will have,” giving the potential transaction a level of exclusivity that will likely attract a certain type of buyer and grab even more public interest.

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum

Screenshot of TheDarkOverlord posting about medical records on Kickass Forum (as displayed in DarkOwl Vision)

Also for sale: a stolen database from a gaming website

On the same day, TheDarkOverlord posted a listing on the same Kickass Forum’s marketplace for 131,000 records from an “unnamed gaming website.” As advertised, these records include users’ email addresses, passwords, DOBs, IP addresses, and much more.

So far, it would appear that TheDarkOverlord is taking serious inquiries only. For example, in the comment section for the post below, someone asked for the name of the gaming website in questions, and TheDarkOverlord responded that they would like “proof of funds and intent to purchase” before disclosing any additional information.

Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum

Screenshot of TheDarkOverlord posting about gaming user info on Kickass Forum (as displayed in DarkOwl Vision)

Both postings on Kickass Forum remain live at time of publication. DarkOwl analysts will continue to track TheDarkOverlord and post updates here.